Six months ago, the NBI arrested 20-year-old Paul Biteng for hacking the Comelec website, said to be the biggest government data security breach in history. They said he could face up to 20 years in prison. Jail—or could it just be a huge waste of young brain?

"You have dialed a highly classified top secret phone number. We are now tracking your location. You cannot run. You cannot hide. There is no escape. In two minutes a special commando team will swoop down on you and will arrest you with whatever means necessary. Do not—repeat—do not even think of escaping. You have illegally tapped into the secret government communications network. You have just dialed yourself into being one of the most wanted terrorists in the world. So—

—D'yan ka lang ha?! Huwag mong ibaba! Sasagutin rin niya ang phone!"

That is Paul Biteng’s ringback tone. The kid is alright, but he’s got a sick sense of humor. For a while there, we thought it was real. The kid having done what he did, we’d have believed every word of the stupid ringback.

In April, Paul Biteng, 20, was on national news when he was arrested for hacking the Comelec website. Hacked government websites are not new, but Paul’s timing was impeccable: he did it with a little more than a month to go before the 2016 presidential elections, just as the Comelec was at a critical juncture preparing for the automated polls. The government agency said their system was secure; not long after, data on 55 million voters—including passport details and fingerprints—was leaked on the web. Some news reports claimed it was the “biggest government-related data breach in history.”

A 20-year-old did that, and that was our story.

After almost a month of looking, FHM tracked down Paul, now out on bail, through a fellow hacker. Following a series of text messages and a few phone calls (with the first one pranking us good), he agreed to meet in a mall somewhere in Manila.

Continue reading below ↓

At the meet-up point, it felt like a Ludlum thriller. We were to rendezvous with PhantomHacker Khalifa, responsible for the biggest government security data breach in history. Fifteen minutes of standing around in the mall, three security guards had placed themselves at strategic points with direct lines of sight to us, them communicating on their radios. Our photographer was carrying a backpack; we figured they thought we looked suspicious. Maybe we were.

Then Paul arrived.

He was sipping on Starbucks and had on a V for Vendetta t-shirt. His hair was wiry and he had plugs for earrings. He was lanky, about 5’5”, and he had this silly grin on his face. He didn’t look like he had graduated from high school yet. He was with a girl—not his girlfriend, he said—who looked even younger.

It has been determined that although Paul hacked the Comelec website, he didn’t leak the information on the web—two other hackers who got his codes in their community forum did that. “Sinasabi kasi nila [Comelec] secured, so tinest ko kung mabubutas—yun ang term namin dun, butasin para makapasok. May nakita ako, so nireport ko [sa Comelec]. Kaso hindi sila nagreply,” Paul says.

Here is how Paul may have done it, from a geek perspective, according to two IT experts—Pierre Tito Galla, a consulting ICT expert for various government institutions like the Senate and Congress, the National Telecommunications Commission, and the Philippine National Police; and Marie Ricana, who has held IT admin and director positions at various government and private companies:

“Biteng may have exploited an existing vulnerability/set of vulnerabilities in the website. Likely, the vulnerabilities existed because the patching and security updates of the website were not done faithfully, in a timely manner, and with a sense of urgency,” Galla explains.

Ricana speculates Biteng did an SQL injection via Voter's Registration Status Verification/Precinct Finder. “The reason why I thought [he did it] through the Precinct finder is because, 1) Using an open text box form is an easy and careless way of doing searches, especially if you don’t take the necessary precautions; 2) [The Precinct finder] has a direct access to [Comelec’s] voters’ database (which is the database that was actually stolen); and 3) Of all the services in the Comelec website, it was the first to be removed from the site.”

Continue reading below ↓

This was a pretty easy job to do, too, say Ricana and Galla. “On a scale of 1 to 5 [on the difficulty scale], it’s probably a 1,” says Galla. “Scripts that do these things can be copy-pasted from so many places, and they aren't all in the dark web.” Ricana agrees: “If indeed the hacking was done via SQL injection, then that means what [Comelec] did was lacking in terms of coding. With someone who has the tech knowledge and malicious intent, it would have been easy to do it.”

So apparently, it doesn’t take much to hack Comelec’s website—it could have been done by a local hacker who had just graduated from school. Recina enumerates the necessary skills to hack: “The hackers need competencies in the most common programming languages, especially those that are used to program websites and web apps (eg. PHP, MySQL, JavaScript, Visual Basic). Competencies in navigating web servers (which are more often than not, run in Linux).” Galli is more succinct: “They need the ability to search for reading material on vulnerabilities, search for scripts, and replicate them. In other words, Google and cut and paste.”

He spent all of one summer after high school in 2012 learning to hack.

MORE FROM FHM.COM.PH

Bounty hunter

Paul Z. Biteng: underachiever, row 4 student, tamad mag-aral.

At least if it wasn’t about computers and coding and, eventually, hacking, that is how Paul thinks his entire life has been thus far.

The Balic-Balic, Sampaloc boy spent his grade school years at Legarda Elementary School in Sampaloc, Manila. He admits he didn’t excel in any subject, but he did play some sports. “Soccer.” He had a couple friends. That is all that Paul can recall.

When he was in second year high school, his family bought a computer set for cheap. Soon after, they had internet connection.

“Una, Facebook lang tsaka laro. Hanggang nag-part time ako sa pagdedevelop ng Ragnarok.” First he played the game, then learned it well enough to know how to customize the settings of the game on private servers for which some players were willing to pay to be able to play. It sounds like a technological leap for a kid, but Paul says he had been into computers since he was three. For him it was easy, and he showed his aptitude for coding when he began college as an IT student.

It was also in college that he found hacking to be a cool thing. “Gusto kong gayahin yung The Matrix,” Paul says.

Just as fast as he learned how to hack and had met fellow hackers on social media, he had begun to earn money spotting weaknesses in websites in what is called a Bug Bounty Program.

De La Salle University law professor and litigation lawyer Andre de Jesus, founding partner at Esguerra Dy de Jesus Chico Law says Paul broke two similar laws: the E-Commerce Law or Republic Act 8792 (which regulates computer interaction in the country) and the controversial Cybercrime Prevention Act (which criminalizes several online activities such as cybersquatting, libel, and access to data without right).

“[Biteng] can be prosecuted for different counts based on different provisions of each law,” says Atty. de Jesus. “He can be prosecuted for hacking, for the fact that he accessed the Comelec website without right. He can also be prosecuted separately for computer-related identity theft. This last one means you intentionally acquire, use, misuse, transfer, possess, alter, or delete the identifying information of another without right. I think these are the offenses that were committed by Paul Biteng.”

For all these violations, Biteng may be slapped with fines and imprisonment. The E-Commerce Act imposes “a minimum fine of P100,000 to a maximum amount commensurate to the damage incurred,” says de Jesus. “There is also imprisonment from a minimum of six months to a maximum of three years. For violating the Cybercrime Prevention Act, Biteng may be imprisoned for at least six years and imposed with a fine of at least P200,000.”

There’s more.

Biteng could also be charged with illegal access against a critical infrastructure. De Jesus explains: “Critical infrastructure [refers to] computer systems, programs, traffic data so vital to our country that the interference with, the destruction of, or the tampering of these data or assets will have a debilitating effect on national or economic security, national public health and safety or a combination of all those.”

Continue reading below ↓

If prosecutors can prove that the Comelec website is critical infrastructure, Biteng could be imprisoned for 12 to 20 years and/or slapped with a minimum fine of P500,000.

“Maybe some sort of reduction of his prison sentence (which does not exist yet) could be extended to him,” says de Jesus. “But I think we should send a message that crime must be punished. Otherwise, we’d be incentivizing the wrong actions in our government. Simply put, Biteng committed a crime and he must be held responsible for it, whether or not his punishment is reduced.”

MORE FROM FHM.COM.PH

Hire

“On behalf of over a billion users, we would like to thank the following people for making a responsible disclosure to us,” says Facebook on its White Hat page, last updated on May 14, 2016. It cited Biteng among a handful of other “white hat” hackers for helping them by reporting weaknesses in their system in 2014.

Microsoft, on its website, also gave Biteng recognition as one of its June 2014 Security Researchers. “The Microsoft Security Response Center (MSRC) is pleased to recognize the security researchers who have helped make Microsoft online services safer by finding and reporting security vulnerabilities,” the company said. “Each name listed represents an individual or company who has privately disclosed one or more security vulnerabilities in our online services and worked with us to remediate the issue.”

Leo Nocom, a senior web developer at a multinational IT firm based in Makati, agrees that the government should not let Biteng’s talents go to waste. “He can work initially as a Quality Assurance officer, or a white hacker,” he says. “His skills would be useful in finding and exposing vulnerabilities in systems before hackers do. He’d then be the one to report them to web developers and help them find a fix.”

According to salary survey site Payscale, a certified ethical hacker (CEH) could earn anywhere between $49,330 and $133,869 annually, or about P189,098 to P513,165 monthly.

Continue reading below ↓

If Paul is acquitted and taken in by an IT or tech firm, he will join the likes of Nicholas Allegra, who Apple got as an intern after he created a website that allowed users to jailbreak their devices and run unauthorized software; and Jeff Moss, who once ran an underground online community for hackers and is now a consultant for the US Homeland Security Advisory Council.

There’s another option. “The most effective whistle blowers, in general, are those who are not on the periphery but come from within the anomalies that are being exposed,” says de Jesus. “If the rumors are true that Biteng is, in fact, a member of Anonymous Philippines, [hiring Biteng] might not just be able to improve the cyber security system of the Philippines but also somehow temper the propensity of Anonymous to just deface [websites] without any real purpose.”

Clifford Trigo (hackerone.com/cliffordtrigo), a security researcher and second in HackerOne’s overall hacker list, has been an online friend of Paul Biteng’s for three years now—but they have met only once in person. He was instrumental in helping Paul raise funds for his bail.

“Yes, he’s a good friend. #freepaulbiteng.info was initiated because we don’t want to see an always happy and talented young friend go to jail,” says Clifford. “He has a legit skill talking with databases using SQL injection attack. He also has ‘fast hands’ as we always play League of Legends during our free time. Paul is only 20. He might have crossed the [line] but I strongly believe his skill is a big use to the government; an asset for a better and secure Philippine cyberspace.”

He'll call you

“Ayoko nung sila ang kukuha sa akin,” says Paul of the reason he rejected an offer from two companies.

Paul Loui Z. Biteng, 20. Hacker. Responsible for what they say is the biggest government data security breach in history. Not quite sure of his own capabilities because, really, he just learned hacking on Google, in his free time. IT graduate. Bug Bounty Hunter. Likes reggae, R and B, and hip-hop. Drinks. Smokes. Gets scolded by his parents because he stays out till late hanging at friends’ houses. Doesn’t watch TV because who among his age still watches TV? Has an easy grin and probably should have a girlfriend.

Just a kid.

This article originally appeard in the July 2016 issue of FHM Philippines